Saturday, October 25, 2008

"The ID triangle: before a passenger boards a commercial flight, he interacts with his airline or the government three times—when he purchases his ticket; when he passes through airport security; and finally at the gate, when he presents his boarding pass to an airline agent. It is at the first point of contact, when the ticket is purchased, that a passenger’s name is checked against the government’s no-fly list. It is not checked again, and for this reason, Schnei­er argued, the process is merely another form of security theater.

“The goal is to make sure that this ID triangle represents one person,” he explained. “Here’s how you get around it. Let’s assume you’re a terrorist and you believe your name is on the watch list.” It’s easy for a terrorist to check whether the government has cottoned on to his existence, Schnei­er said; he simply has to submit his name online to the new, privately run CLEAR program, which is meant to fast-pass approved travelers through security. If the terrorist is rejected, then he knows he’s on the watch list.

To slip through the only check against the no-fly list, the terrorist uses a stolen credit card to buy a ticket under a fake name. “Then you print a fake boarding pass with your real name on it and go to the airport. You give your real ID, and the fake boarding pass with your real name on it, to security. They’re checking the documents against each other. They’re not checking your name against the no-fly list—that was done on the airline’s computers. Once you’re through security, you rip up the fake boarding pass, and use the real boarding pass that has the name from the stolen credit card. Then you board the plane, because they’re not checking your name against your ID at boarding.”

What if you don’t know how to steal a credit card?

“Then you’re a stupid terrorist and the government will catch you,” he said.

What if you don’t know how to download a PDF of an actual boarding pass and alter it on a home computer?

“Then you’re a stupid terrorist and the government will catch you.”

I couldn’t believe that what Schneier was saying was true—in the national debate over the no-fly list, it is seldom, if ever, mentioned that the no-fly list doesn’t work. “It’s true,” he said. “The gap blows the whole system out of the water.”"

With the US presidential election looming Edward Lazarus has been thinking about how high level government lawyers in the Bush and Clinton adminstrations have done so much damage.

"What hath high-ranking government lawyers wrought over the last dozen years? Well, to start with, they cooked up the brilliant idea of impeaching a president (for only the second time in history) not for malfeasance with respect to a matter of state, but for lying about having an affair with a White House intern. And in addition to cloaking this transparently-partisan maneuver in the garb of high principle, they debased the office of the president (and their own enterprise) by crafting legal arguments that displayed a perverse and weirdly voyeuristic interest in the tawdry details of the president's sexual encounters...

And then there is lawyers' role in Bush v. Gore.

...the lawyers who joined the Bush Administration set to work justifying an unprecedented expansion of purportedly unreviewable Executive Branch authority, including the authority to flout both international law and the express demands of Congress if they were seen by the President to be in conflict with the way he sought to play his role as Commander-in-Chief. Within this aggrandized vision of Executive Branch power, the Administration's lawyers put their skills to the task of justifying the use of torture, and the incarceration of large numbers of people indefinitely and without recourse to counsel or other outside contact for an indefinite period of time. To the extent that they have tried to prosecute terrorism cases in the federal courts, moreover, the government's lawyers have played so many hide-the-ball tactical games (for instance, seeking to proceed upon secret evidence that the defendant cannot rebut because he cannot see it) that even many conservative judges have become exasperated.

At the same time, these lawyers pushed for domestic surveillance programs of dubious legality while trying to make an end run anyone who raised objections, even the acting Attorney General. They also used extra-legal means to attack political critics, including leaking the identity of CIA agent Valerie Plame. And not least, they undermined the integrity, credibility, and morale of the Justice Department by pressuring U.S. Attorneys to bring prosecutions for partisan purposes and by filling rank-and-file civil service positions based on ideology, rather than merit."

Friday, October 24, 2008

"TOKYO (AP) _ A 43-year-old player in a virtual game world became so angry about her sudden divorce from her online husband that she logged on with his password and killed his digital persona, police said Thursday.

The woman, who has been jailed on suspicion of illegally accessing a computer and manipulating electronic data, used his ID and password to log onto the popular interactive game "Maple Story" to carry out the virtual murder in May, a police official in the northern city of Sapporo said. He spoke on condition of anonymity because of department policy.

"I was suddenly divorced, without a word of warning. That made me so angry," the official quoted her as telling investigators and admitting the allegations.

The woman, a piano teacher, had not plotted any revenge in the real world, the official said.

She has not yet been formally charged. If convicted, she could face up to five years in prison or a fine up to US$5,000."

According to the good folk at EDRI the telecoms package recently passed by the EU parliament retains worrying provisions potentially facilitating the introduction of a 3-strikes law on a European scale. German MEP, Ruth Hieronymi, who was instrumental in blocking amendment 132 which clearly opposed a 3 strikes regime, has stated publicly that she believes the telecoms package directive, as passed, now contains the legal framework for setting up an EU 3 strikes law or as the lobbyists like to call it the "graduated response" approach.

"In an attempt to influence the German government's position, a seminar, "on the development of Creative content online" was organized by the French embassy in Berlin with the title "Can the Olivennes agreement set the course for the digital future?". During the seminar, German MEP Ruth Hieronymi clearly stated that co-operation amendment 112 of the Harbour report in the Telecoms Package provided the basis for the graduated response in EU law. "I am absolutely convinced, that the legal framework is there, to fashion a model like Olivennes that is compatible with European law" she stated in relation to the Telecoms Package.

The MEP also claimed personal responsibility for the withdrawal of Amendment 132 in the Framework directive which opposed graduated response, and was in direct conflict with Amendment 112 and the other pro-Olivennes measures.

Hieronymi's comments show that the attempt to insert graduated response and copyright enforcement measures into the Harbour report was deliberate. Which means that a vote for the directive as it is now, will clearly be a vote for graduated response. Unless there is no opposition form the governments having shown some reserves, the law imposing the graduated response will be passed to all EU countries by December, as the Council seems to have decided to negotiate the document and not send it back to the EP for a second reading.

Ms Hieronymi's claims that there was deliberate intent to include a 3 strikes framework in the telecoms directive directly contradict the assurances to the contrary I was given by several of my own MEPs. Those assurances were largely based on statements by Conservative MEP Malcolm Harbour, the rapporteur for the directive, that there was nothing about copyright enforcement or 3-stikes in his report underpinning the directive.

Mr Harbour and Ms Hieronymi may have to agree to disagree on the existence or otherwise of the intent underlying the directive in respect of copyright but one thing that appears to be clear is that the amendment to the telecoms package supported by the EU parliament which could have been read to block a 3 strikes regime has apparently been quietly removed by the EU Council. The European Council working party on Telecommunications and the Information Society has dropped the following amendment to the telecoms package (amendment 166, also labeled article 32a):

"The following Article 32a shall be added: "Article 32a Access to content, services and applications Member States shall ensure that any restrictions to users' rights to access content, services and applications, if they are necessary, shall be implemented by appropriate measures, in accordance with the principles of proportionality, effectiveness and dissuasiveness. These measures shall not have the effect of hindering the development of the information society, in compliance with Directive 2000/31/EC, and shall not conflict with citizens' fundamental rights, including the right to privacy and the right to due process." "

The deletion is not even noted as is normal when such changes are made and no explanation is provided. With the Council apparently planning to pass the package now without returning to the EU parliament for a second reading it makes you wonder whether the parliament has any real function other than swallowing significant chunks of our tax revenues.

As to the 3 strikes regime I happened to be giving a talk on IP to OU colleagues yesterday and briefly mentioned the dangers again, as well as Lilian Edward's perpective on the Promusicae dicta from the European Court of Justice in January (regular readers will recogise the following as mainly copied from my notes on Lilian's presentation on at the OII's Musicians, fans and online copyright event at LSE in March this year):

"If we withdraw access to the Net from a large number of people in the UK (and 6 million plus are considered to be engaged in copyright infringement via the Net in the UK alone), should such withdrawal be by a closed industry procedure? Practical considerations mean that for the scheme to be workable on the part of the ISPs it would have to be automated and internal to the ISPs. No impartial process or judge would be overseeing it (as is happening in the French case). But we have to realise that ISPs are not Net police but service providers. They are not set up for policing. In court copyright infringement would have to be increased to the standard of a criminal infringement because withdrawal of access to the Internet feels very much like a criminal sanction.

In addition there is a presumption of guilt not innocence. The person linked to the IP address identified as an alleged source of infringement is automatically assumed to be guilty and has the burden of proving their innocence. There are a large number of ways that people might be wrongly accused - there are a lot of reasons why the person linked to the IP address - i.e. the formal ISP subscriber - might not be the infringer. It could be other family members or their friends or others accessing open wireless access points (wifi piggybacking), or trojans enabling remote control of that machine.

There should be an absolute commitment to starting with a presumption of innocence rather than a presumption of guilt by an industry with an economic stake in an outcome whereby someone is held responsible.

Will legal access be available to the accused? Or does someone have to be cut off first? Article 6.1 of the European Convention on Human Rights (ECHR) guarantees the right to due process. Is access to the Net itself a basic human right? Article 36 of the ECHR would suggest so or at least it is very close. The French scheme is better than an unmediated scheme since it allows for the access to an independent tribunal with the oversight of a judge.

Even if we could overcome these problems, there is a serious legal question about whether a 3 strikes law is a proportionate response to the specific problem. According to the recent Promusicae v Telefónica case in the European Court of Justice the rights of the music labels to protect their copyrights must be balanced with the civil rights of users of the Net. Having access to the Net is now a fundamental part of nearly everyone's life in the developed world and it relates to basic rights to:

• free expression• freedom of association• education• and employment

and the ECHR and every other serious international charter of rights says that if a law is not proportionate it is not legal.

Even with the legitimate aim of defending or protecting copyrights, the ECJ clearly instructed member state governments that they are not to endanger human rights or proportionality. Professor Lilian Edwards of Sheffield University actually thinks that this part of the decision was a clear dicta from the court aimed directly at the kind of 3 strikes notice and disconnect schemes the French have implemented and others are considering, including it seems the EU Council where there have been sustained efforts to sneak the measure through, hidden in the massively complex telecoms package directive."

"Are you ready for take-off? Plans to allow passengers to be virtually strip searched by X-ray body scanners at airports across Europe were denounced yesterday as a threat to personal dignity.

MEPs called for safeguards to prevent the revealing images — which penetrate clothing and leave little to the imagination — from being stored or published, raising fears of a trade in embarrassing pictures of celebrities being sold for high prices."

You know what's really sad about this? The focus of concern is on the possible embarrassment to celebrities. Who cares if Jo Soap gets strip searched as a matter of routine but wouldn't it be terrible if the images of some famous person ended up on the internet?

What the hell is the matter with these people?!

The print version of the story is accompanied by a cartoon of a couple of security men looking goggle-eyed at a screen with one saying "It's the phwor! on terror." That about sums it up.

It's not insane to be paranoid. That is the comforting message I took from the speech given this week by Sir Ken Macdonald, the Director of Public Prosecutions, who warned the Government not to abuse its “enormous powers of access to information”. In a direct hit on the Home Secretary's desire to record on an Orwellian database every e-mail, phone call and website visited, he said that “freedom's back is broken” if ministers give in to the pressures of a State that is insatiable.

I say comforting, because I frequently feel that I am living in a looking-glass world, where what Sir Ken calls the “paraphernalia of paranoia” makes reality feel like a spoof. Take a parochial example. Several readers sent me an article from the Lincolnshire Echo that claimed Lincoln City Council was training its plumbers and electricians to spot child abuse. I contacted some nice people at the council last week, apologising for wasting their time on what, I said, was probably overexcited gossip. But it turned out to be true. These perfectly sane people are indeed training their 820 staff to “recognise when a child may be in a harmful situation”. They believe that the Children's Act 2004 requires all employees to “safeguard and promote the welfare of children and young people when discharging the council's functions, eg, throughout their daily work or work that has been subcontracted out”. Staff will be trained, and required to “report to relevant agencies” what they see."

" A terse ruling last week in Brunner v. Ohio Republican Party-a case that could have important ramifications for the Presidential election-should serve as a reminder that the Supreme Court is, for all of its imperfections, capable of genuinely putting aside politics to apply the law.

The Underlying Dispute: Did Ohio's Secretary of State Violate the Post-Bush v. Gore Federal Voting Statute?

In the wake of Bush v. Gore, Congress enacted the Help America Vote Act (HAVA), a statute that, among other things, sets standards for federal elections...

Ohio is a swing state that President Bush narrowly carried in 2004 amidst allegations of irregularities that disproportionately suppressed the votes of Democrats. Ohio's current Secretary of State is a Democrat, Jennifer Brunner. She was recently sued by the Ohio Republican Party and a Republican state representative in Ohio, who claimed that by failing to provide county election officials with lists of newly registered voters whose registration information did not match their motor vehicle information, she had violated HAVA.

Secretary Brunner in turn responded that HAVA does not specifically require her to provide lists to county officials; that doing so would be unduly burden her office; and that, in any event, another federal law-the National Voter Registration Act or "Motor Voter"-forbids systematic purging of voters from the rolls within 90 days of an election, so that there would be no point in providing this information to county election officials at this late date.

A federal district judge originally ruled in favor of the Ohio Republican Party, granting a temporary restraining order (TRO) against Secretary Brunner. However, a panel of the Sixth Circuit quickly reversed that decision, only to be reversed in turn by the full (en banc) Sixth Circuit.

Last week's en banc opinion in Ohio Republican Party v. Brunner rejected Secretary Brunner's reading of HAVA and also rejected the argument, advanced by the Secretary, that private parties could not sue to enforce HAVA. The en banc court said this was a close question, but that the district judge acted within his authority in finding a sufficient likelihood of success on the merits to grant the plaintiffs their TRO. (To gain the temporary relief of a TRO, a plaintiff must show only that he is likely to succeed in proving the allegations of the complaint, not that he actually will succeed in doing so, and that he will suffer irreparable injury absent the TRO.)

Faster than you can say "Bush v. Gore," the Supreme Court reversed the Sixth Circuit's en banc decision. It held that the legal standard governing who can sue to enforce statutes is simply too demanding for the plaintiffs to have established a likelihood of success on the merits. It was probable, instead, that they lacked the right to bring the case in the first place. As a consequence, the federal court suit was dismissed. Thus, it now appears that Secretary Brunner's decision not to flag discrepancies between voter registrations and motor vehicle records for county election officials will stand.

Had the Supreme Court not reversed the en banc Sixth Circuit ruling, thousands of newly registered Ohio voters might have been purged from the rolls. Because the Democrats have registered more new Ohio voters than have the Republicans, last week's ruling was no doubt welcome news to the Obama campaign and a disappointment to the McCain campaign. Should Senator Obama capture Ohio by a razor-thin margin, and should Ohio prove decisive in the Electoral College race, he will have the Supreme Court to thank on Inauguration Day...

The conservatives who had fashioned a test that makes it very hard for plaintiffs to bring civil rights lawsuits, were consistent enough to say that the test must be equally difficult for Republican plaintiffs to satisfy. Whether or not one agrees with that strict test, one should at least respect the Justices for applying it in a way that did not focus on the results-in this case a benefit to a Democratic Secretary of State and, more importantly, the Democratic Party...

It is no doubt faint praise to laud the Supreme Court for having the intellectual honesty to apply its legal principles even-handedly, regardless of whether those principles favor Democrats or Republicans. At a minimum, justice is supposed to be blind. Still, given the lingering shadow that Bush v. Gore casts over the Supreme Court's objectivity in cases involving Presidential elections, even such minimal fairness is heartening."

Tuesday, October 21, 2008

The Open Rights Group ORG:GRO campaign continues this week and they're even giving away five copies of my book, theoretically as an incentive to join up and hand over your fiver a month. Don't let my book put you off(!) but do consider seriously supporting a great group of people who, with limited resources, are doing sterling work in the digital rights area. Every little bit helps and it would be great to see them hitting their interim target of 1000 members by the end of the month.

"This week, to encourage more people to join up and support Open Rights with a fiver per month, we’re giving away copies of Ray Corrigan’s Digital Decision-Making: Back to the Future. Ray is a rapid-fire blogger with a big interest in digital rights issues whose work has a historical, home-grown perspective and a sharp sense of humour. If you want one of five signed copies of the book, then please sign up today and note ‘Ray da Man’ in the ‘where i heard about ORG’ box. We’ll send the books to whoevers’ fivers arrive the quickest! Here’s a quote from the synopsis to whet your appetites:

Since the general public began to use the Internet in the mid 1990s, there has been a vast amount of investment by governments and commerce in digital communications technologies. There has also been a fair degree of confusion and sometimes controversy about the purpose and effectiveness of such technologies, for example the proposed UK identity card system. Decisions about digital communications technologies are not always so clearly a subject of political concern as is the case with identity cards.The far-reaching implications for commerce and society of some of these decisions in invisible or opaque specialist fields, however, mean they should be matters of concern for every citizen. This book argues that: decisions should be based on an understanding of the systems, technology and environment within which they operate; experts and ordinary people should work together; and, technology and law are evolving in restrictive rather than enabling ways.

Its looking pretty tight as to whether we hit our interim target of 1,000 fivers per month by the end of October. Although we’re still rising, the rate of new supporters has slowed significantly this month. Please, if you’re already a supporter then spread the word about our works on your networks."

I've never been described as a rapid-fire blogger before. Thanks Michael! Though I'm not sure some of my more serious minded colleagues would approve if they realised I was engaged in such an unconventional academic pursuit. ;-)

Update: If you have a free 7 minutes have a look at this video which gives you an rough idea of the kinds of things ORG campaign about:

"Deceptive campaigns are attempts to misdirect voters regarding the voting process for public elections. Deceptive campaign activity can be false statements about polling times, date of the election, or voter identification rules. The EPIC report reviews the potential for abuse of Internet technology in an election context, and makes recommendations on steps that could be taken by Election Protection, Election Administrators, and voters to protect the integrity of the upcoming election. A legal and policy companion of the report was simultaneously released by Common Cause and the Lawyers Committee for Civil Rights Under Law."

Terri Dowty has drawn up a list of the various authorities that are going to have to be on the massive ContactPoint children's database if they are providing ‘targeted services’ to the child.

"To save you the trouble of chasing around the different bits of legislation, I’ve brought them all together in a single list. Here goes:

(1) a children’s services authority in England; (which in itself includes social work, educational welfare, learning support etc) or a district council which is not such an authority;

(2) a Strategic Health Authority;

(3) a Special Health Authority, so far as exercising functions in relation to England, designated by order made by the Secretary of State for the purposes of this section;

(4) a Primary Care Trust;

(5) an NHS trust all or most of whose hospitals, establishments and facilities are situated in England;

(6) an NHS foundation trust;

(7) the police authority and chief officer of police for a police area in England;

(8) the British Transport Police Authority, so far as exercising functions in relation to England;

(9) a local probation board for an area in England;

(10) a youth offending team for an area in England;

(11) the governor of a prison or secure training centre in England (or, in the case of a contracted out prison or secure training centre, its director);

(12) any person to the extent that he is providing services under section 114 of the Learning and Skills Act 2000 (c. 21) - ie. anyone providing a service to young people that the Secretary of State believes will “encourage, enable or assist (directly or indirectly) effective participation by young persons in education or training”

(13) the Learning and Skills Council for England;

(14) the governing body of a maintained school in England (within the meaning o f section 175 of the Education Act 2002 (c. 32));

(15) the governing body of an institution in England within the further education sector (within the meaning of that section);

(16) the proprietor of an independent school in England (within the meaning of the Education Act 1996 (c. 56));

** NB (17) a person or body of such other description as the Secretary of State may by regulations specify. ***

(18) a person registered in England for child minding or the provision of day care under Part 10A of the Children Act 1989 (c. 41);

(19) a voluntary organisation exercising functions or engaged in activities in relation to persons to whom arrangements specified in subsection (1) relate;

(20) the Commissioners of Inland Revenue;

(21) a registered social landlord;

(22) The governing body of a special school which is not maintained by a local authority and which has been approved as a special school under section 342 of the Education Act 1996.

(25) The fire and rescue authority (determined in accordance with Part 1 of the Fire and Rescue Services Act 2004) for any area in England where the local authority (within the meaning in these Regulations) is not the fire and rescue authority for the area.